1 |
Hi, |
2 |
|
3 |
1) I'm not sure that calculations given in an article are good. |
4 |
Average alone does not give a lot of information. For example: |
5 |
|
6 |
(1+90)/2 = 45.5 and (45+46)/2 = 45.5 |
7 |
|
8 |
it would be similar that 1 point if patch is released very late |
9 |
90 if released very early and 45,46 in the midle. As one can |
10 |
see, release time differs very much, but the average is the |
11 |
same. So average alone does not give a lot of information. |
12 |
Different story would be if together with average there would |
13 |
be standard distribution, average alone is not enough. |
14 |
|
15 |
2) I don't think that this calculation can be used for future |
16 |
planings: " what system will be better". Statisticaly we should |
17 |
apply "z" or atleast "t" statistics instead of simple average. |
18 |
|
19 |
Generaly speaking, calculations given in an article are the simplest |
20 |
ones tought in primary school. I did not find anything from |
21 |
advanced statistics according to which the rating could be applied. |
22 |
|
23 |
elwis |
24 |
|
25 |
|
26 |
On 8/7/06, Vincent Rivellino <vince@×××××××××.org> wrote: |
27 |
> |
28 |
> -----BEGIN PGP SIGNED MESSAGE----- |
29 |
> Hash: SHA1 |
30 |
> |
31 |
> Interesting study. I like the premise of it. However, I'm not sure I |
32 |
> agree with their method. From the article: |
33 |
> |
34 |
> "For instance, if a distribution fixed an issue on the earliest date, it |
35 |
> would receive a score of 100 for that issue; if it was the last vendor to |
36 |
> fix the issue, it would get a score of 0. One can then average the scores |
37 |
> after evaluating the 30 issues." |
38 |
> |
39 |
> So this is just a ranking, with no quantitative results. What I'd really |
40 |
> like to know are the distributions' average response times for the High |
41 |
> and Moderate vulnerabilities. |
42 |
> |
43 |
> While Gentoo might be 6th, I'd like to know how much slower Gentoo gets |
44 |
> out patches than Ubuntu, Fedora, and/or RHEL. |
45 |
> |
46 |
> |
47 |
> - -Vince |
48 |
> |
49 |
> |
50 |
> - -- |
51 |
> Vincent Rivellino |
52 |
> GPG Key ID: 62BFEBE4 |
53 |
> https://cuz.cx/gpg |
54 |
> |
55 |
> |
56 |
> On Mon, August 7, 2006 07:42, Wolfram Schlich wrote: |
57 |
> > Hi, |
58 |
> > |
59 |
> > |
60 |
> > I just stumbled over an article from SearchSecurity.com which was linked |
61 |
> > to in a heise newsticker posting that tries to analyze how fast |
62 |
> > distributions react to security vulnerabilities: |
63 |
> > |
64 |
> > http://tinyurl.com/lplfb |
65 |
> > |
66 |
> > |
67 |
> > Quick chart: |
68 |
> > |
69 |
> > |
70 |
> > Rank Distro Points/100 |
71 |
> > ---- ------------------------- ---------- |
72 |
> > 1. Ubuntu 76 |
73 |
> > 2. Fedora Core 70 |
74 |
> > 3. Red Hat Enterprise Linux 63 |
75 |
> > 4. Debian GNU/Linux 61 |
76 |
> > 5. Mandriva Linux 54 |
77 |
> > 6. Gentoo Linux 39 |
78 |
> > 7. Trustix Secure Linux 32 |
79 |
> > 8. SUSE Linux Enterprise 32 |
80 |
> > 9. Slackware Linux 30 |
81 |
> > |
82 |
> > |
83 |
> > Rank 6 out of 10 is not a great result -- at least we beat SUSE ;) |
84 |
> > |
85 |
> > |
86 |
> > Any comments or thoughts about this? |
87 |
> > Can we become better? |
88 |
> > Are we maybe better than the author pretends? |
89 |
> > Does the security team currently face serious problems that need to be |
90 |
> > solved, be it inside or outside the security team? |
91 |
> > |
92 |
> > I am just curious and would be glad to get some feedback :) |
93 |
> > -- |
94 |
> > Regards, |
95 |
> > Wolfram Schlich <wschlich@g.o> |
96 |
> > Gentoo Linux * http://dev.gentoo.org/~wschlich/ |
97 |
> > -- |
98 |
> > gentoo-security@g.o mailing list |
99 |
> > |
100 |
> > |
101 |
> |
102 |
> |
103 |
> -----BEGIN PGP SIGNATURE----- |
104 |
> Version: GnuPG v1.4.4 (GNU/Linux) |
105 |
> |
106 |
> iD8DBQFE12eKhUAfdmK/6+QRAm4sAJ9U4hDbql8b5Du7ELWTclnBdwXONACghkRk |
107 |
> PLfad2L0hjQZ99puzngf4nU= |
108 |
> =/aSm |
109 |
> -----END PGP SIGNATURE----- |
110 |
> |
111 |
> -- |
112 |
> gentoo-security@g.o mailing list |
113 |
> |
114 |
> |
115 |
|
116 |
|
117 |
-- |
118 |
Eilverijus Kondratas |
119 |
Master studies in Computer Science |
120 |
Free University of Bozen-Bolzano |
121 |
Italy, Bolzano |